Sage was alerted (Saturday 18th December 2021) to a Common Vulnerabilities and Exposures notice (CVE-2021-45105) that Apache Log4j2 does not always protect from infinite recursion in lookup evaluation. This means that Log4j2 is vulnerable to potential Denial of Service attacks.
https://logging.apache.org/log4j/2.x/security.html
https://nvd.nist.gov/vuln/detail/CVE-2021-45105
Sage is treating this as an emergency/critical issue.
The Apache Log4J 2 library is used in the 2020 R2, 2021 R1, and 2021 R2 versions of Sage CRM.
Patches for Sage CRM
Sage has 3 patches in test to update Apache Log4j to 2.17
Sage CRM 2020 R2
Sage CRM 2021 R1
Sage CRM 2021 R2
Availability of the patches will be announced on Sage City.
Please watch the following Sage City links for news:
Sage City page: https://www.sagecity.com/sage-global-solutions/sage-crm/f/sage-crm-announcements-news-and-alerts
Sage City feed: https://www.sagecity.com/sage-global-solutions/sage-crm/f/sage-crm-announcements-news-and-alerts/rss
This applies for Sage CRM stand alone and when integrated with Sage accounting products. Sage 50, Sage 100, Sage 200, Sage 1000, Sage 300, Sage X3 and Sage Intacct.